Google has released an urgent security update for Android, patching over 100 vulnerabilities, including two critical flaws actively exploited by cybercriminals that could allow them to seize control of users’ smartphones and steal sensitive data.
These two urgent flaws are among 51 vulnerabilities already addressed by the company. Google confirmed that these specific vulnerabilities “may already be subject to limited and targeted attacks.”
The exploited vulnerabilities affect Android versions 13, 14, 15, and 16, and both relate to the core Android framework. One flaw allows malicious applications or code to gain elevated privileges on a device. An attacker could exploit this via a malicious link or compromised website to take full control of a smartphone and exfiltrate confidential user data.
The second critical flaw permits unauthorized access to sensitive data, including system metadata, technical credentials, configuration information, and user-specific data. Google has not released specific technical details about these vulnerabilities, stating it will do so after a majority of users have installed the necessary fixes.
The December 2025 Android security update addresses a total of 107 vulnerabilities found in the operating system’s code, its components, and features supplied by manufacturers like Qualcomm and MediaTek. While 51 vulnerabilities have been patched immediately, the remaining fixes are scheduled for release starting December 5.
Google revised its update schedule last September. Critical vulnerabilities, especially those actively exploited, continue to receive monthly fixes. However, less urgent security issues are now grouped into larger quarterly bulletins. This new approach aims to help phone manufacturers integrate at least some of the updates into their custom interfaces more quickly.
The update also includes a fix for another critical vulnerability that has not yet been exploited by hackers. This flaw in the Framework component could enable a remote denial-of-service (DoS) attack without requiring any special privileges.
For complete protection, smartphone manufacturers must integrate these security corrections into their customized Android interfaces, a process that can take some time. Users must then install these updates on their devices. To check for available updates, users can typically navigate to Settings, then select “About phone,” followed by “Software update.”